News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • BlueKeep exploitation expected soon

    Home Forums AskWoody blog BlueKeep exploitation expected soon

    Tagged: ,

    This topic contains 29 replies, has 16 voices, and was last updated by  Paul T 2 weeks, 4 days ago.

    • Author
      Posts
    • #1881532 Reply

      Kirsty
      Da Boss

      Several hours ago, there was a lot of noise on Twitter about a Github explanation on how to “weaponize” BlueKeep, triggering fears it could soon be wi
      [See the full post at: BlueKeep exploitation expected soon]

      5 users thanked author for this post.
    • #1881535 Reply

      Kirsty
      Da Boss

      @gborn has also blogged, on borncity.com:
      BlueKeep warning: Exploit might come soon?

      4 users thanked author for this post.
    • #1881846 Reply

      woody
      Da Boss

      Per Vess Bontchev:

      …we’re one step closer to a BlueKeep worm – but not very close. I still think that there are considerable chances of it not happening.

      6 users thanked author for this post.
    • #1882059 Reply

      woody
      Da Boss

      We’ve received several anonymous posts about an exploit being posted on Darknet. Sorry, but that just isn’t true – at least, no readily usable exploit. If you know of something that actually works, please email me or DM Kevin Beaumont on Twitter. Color me extremely skeptical.

      6 users thanked author for this post.
    • #1882062 Reply

      geekdom
      AskWoody Plus

      I’ve installed updates that supposedly prevent the BlueKeep hack. Now, I’m going to forget about it as my worry bin is full.

      Group G{ot backup} Win7Pro · x64 · SP1 · i3-3220 · TestBeta · Microsoft Security Essentials
      2 users thanked author for this post.
    • #1882082 Reply

      warrenrumak
      AskWoody Plus

      @gborn has also blogged, on borncity.com:
      BlueKeep warning: Exploit might come soon?

      “It is currently estimated that approximately 800,000 systems are still unpatched and accessible via the Internet”

      I find it hard to believe that there are this many Windows XP / Vista / 7 / 2003 / 2008 / 2008R2 machines with RDP turned on that are fully exposed to the Internet.

      Granted there are plenty of “forgotten” Windows Server installations out there that aren’t getting patched…. but how many of them have a public IP address?

      • #1882176 Reply

        jabeattyauditor
        AskWoody Lounger

        I believe they’re coming up with a pretty accurate number using Shodan searches; it’s approximate only because systems are being patched or taken offline on an ongoing basis.

    • #1882117 Reply

      Sessh
      AskWoody Lounger

      So, does this mean there are folks who want this to happen? There’s now an online tutorial explaining how to use BlueKeep on a Microsoft-owned website? Sweet. They might want to do something about that, but then again maybe not.

      I’m still waiting for Spectre/Meltdown exploits to be in the wild from a year and a half ago to make all the performance losses from the patches worth it for those who installed them. I guess this online tutorial is an attempt to make sure this isn’t just FUD and something actually comes of it this time.

      It’s a shame FUD works so well on people even techies, but if this tutorial does cause exploits to be released into the wild, it’s on a Microsoft-owned site and are therefore responsible for it to some degree, are they not?

      3 users thanked author for this post.
      • #1882124 Reply

        jabeattyauditor
        AskWoody Lounger

        It’s a shame FUD works so well on people even techies, but if this tutorial does cause exploits to be released into the wild, it’s on a Microsoft-owned site and are therefore responsible for it to some degree, are they not?

        Just as responsible as Woody is for every word that you and I type here.

        • #1882369 Reply

          Sessh
          AskWoody Lounger

          I highly doubt that. This is a message board. GitHub is a code repository that, in this case, is hosting material that is telling people how to use code maliciously to take over people’s computers and potentially extort them or steal their personal information. Big, big difference. As owners, MS certainly can decide that this is malicious and bad for business. If they know it’s there, what it’s intents are and leaves it there where it ultimately causes damage, they are certainly responsible for taking no action.

          • #1882419 Reply

            jabeattyauditor
            AskWoody Lounger

            MS hasn’t taken on the role of content moderation on GitHub (that I can see, at least). There’s plenty of interesting stuff to be found.

      • #1883161 Reply

        Noel Carboni
        AskWoody_MVP

        Who is benefiting, business-wise, from this?

        -Noel

        1 user thanked author for this post.
        • #1883176 Reply

          Sessh
          AskWoody Lounger

          It seems Microsoft would stand to benefit if they can scare a few more of those annoying W7 users into getting Windows 10. Someone certainly seems to want this to happen. I don’t know how else to interpret there being a tutorial showing exactly how to use it while almost certainly knowing how it will be used and who it will be used on.

          • #1883719 Reply

            Kirsty
            Da Boss

            That’s an extraordinarily long bow to draw!

            Naw. If you think MS could organize something like this to drive Win10 migrations, you’re waaaaaaaaay overestimating their ability.

            The Microsoft conspiracy theories are out of place in a security issue, as I read Woody’s comment.

            1 user thanked author for this post.
            • #1884023 Reply

              woody
              Da Boss

              It also doesn’t make any sense.

              The tutorial doesn’t explain how to use BlueKeep, although it does fill in some gaps. There will be an exploit sooner or later, and the exploiter may rely on the Github stuff to come up with a working example. But MS isn’t aiding and abetting, and they certainly didn’t create the problem in the first place.

              Microsoft has nothing to gain from a BlueKeep exploit. Nothing. As you know, I am quick to lambaste Microsoft when they deserve it. (Sometimes too quick.) This isn’t one of those times.

              3 users thanked author for this post.
    • #1882394 Reply

      Seff
      AskWoody Plus

      “Are you protected?”

      It might be worthwhile to edit the article to add a reminder after that question of how you get protected. Most people don’t remember from one month to the next which update does what or whether they’ve installed it.

      2 users thanked author for this post.
      • #1882407 Reply

        Microfix
        Da Boss

        If you have the May SMQR (and or June) installed you’re covered.
        Group B patches need to have the May SO updates installed.

        More info over at Computerworld – Woody on Windows

        ********** Win7 x64/x86 | Win8.1 x64 | Linux Hybrids x64 **********

        3 users thanked author for this post.
        • #1882826 Reply

          woody
          Da Boss

          Yep. It’s that simple – if you’re running

          • Windows XP (including Embedded)
          • Windows Server 2003, Server 2003 Datacenter Edition
          • Windows 7
          • Windows Server 2008, Server 2008 R2

          You need to get patched now. There ARE NO EXPLOITS currently making the rounds, but you should get your system fixed. Very likely that we’ll see an exploit sooner or later.

          See my article from two months ago, https://www.computerworld.com/article/3395538/if-youre-running-windows-xp-7-or-associated-servers-patch-them.html

          2 users thanked author for this post.
          • #1883841 Reply

            woody
            Da Boss

            We’re getting more posts about there being a super-secret exploit available on the darknet. It just isn’t true. The claims on the dark net about some uber-sploit that bypasses Microsoft’s fixes aren’t true.

            https://twitter.com/GossiTheDog/status/1153933620647800832

            Of course, you can pay for an exploit, if you like — there are plenty for sale. But they don’t work. If they did, about 800,000 machines would be bowing to a new master right now, and we’d hear about it real fast.

            I repeat: Get those older machines patched. But keep your head about you. And, no, we won’t publish any darknet rants unless they’re proven factual.

            2 users thanked author for this post.
    • #1882401 Reply

      AngryJohnny75
      AskWoody Lounger

      So, does this mean there are folks who want this to happen? There’s now an online tutorial explaining how to use BlueKeep on a Microsoft-owned website? Sweet. They might want to do something about that, but then again maybe not.

      I’m still waiting for Spectre/Meltdown exploits to be in the wild from a year and a half ago to make all the performance losses from the patches worth it for those who installed them. I guess this online tutorial is an attempt to make sure this isn’t just FUD and something actually comes of it this time.

      It’s a shame FUD works so well on people even techies, but if this tutorial does cause exploits to be released into the wild, it’s on a Microsoft-owned site and are therefore responsible for it to some degree, are they not?

      I think you are on to something. I wouldn’t be surprised if the FUD and tutorial is being used as a scare tactic and last ditch effort to convince folks that they need to get off of these older OSes and get on to Windows 10.

      1 user thanked author for this post.
    • #1882416 Reply

      Seff
      AskWoody Plus

      So, does this mean there are folks who want this to happen? There’s now an online tutorial explaining how to use BlueKeep on a Microsoft-owned website? Sweet. They might want to do something about that, but then again maybe not.

      I’m still waiting for Spectre/Meltdown exploits to be in the wild from a year and a half ago to make all the performance losses from the patches worth it for those who installed them. I guess this online tutorial is an attempt to make sure this isn’t just FUD and something actually comes of it this time.

      It’s a shame FUD works so well on people even techies, but if this tutorial does cause exploits to be released into the wild, it’s on a Microsoft-owned site and are therefore responsible for it to some degree, are they not?

      I think you are on to something. I wouldn’t be surprised if the FUD and tutorial is being used as a scare tactic and last ditch effort to convince folks that they need to get off of these older OSes and get on to Windows 10.

      While every alternate article here dealing with the latest Windows 10 version issues reminds us why we shouldn’t do so!

      1 user thanked author for this post.
      • #1882827 Reply

        woody
        Da Boss

        Naw. If you think MS could organize something like this to drive Win10 migrations, you’re waaaaaaaaay overestimating their ability.

        1 user thanked author for this post.
    • #1882443 Reply

      OscarCP
      AskWoody Plus

      According to this GBorn blog page from May, referring to the problem now under discussion here:

      Critical update for Windows XP up to Windows 7 (May 2019)

      Starting with Windows 8, the vulnerability no longer exists in the Remote Desktop Service. Windows 7, Windows Server 2008, and Windows Server 2008 R2 receive a patch to close the vulnerability with regular Monthly Rollup or Security Online updates.

      Does this mean that if one has already applied the May Security(etc.) patch according to one’s patching group (A or B), then one does not need to turn off the Remote Desktop Service?  I’ve had (a) this patch installed since late May and (b) prefer to turn the RDS on occasionally, to make it easier to communicate between my Mac and my Windows 7 PC. I would appreciate some advice on whether this is a good thing to do, or not, and why.

      • #1882456 Reply

        Alex5723
        AskWoody Plus

        Does this mean that if one has already applied the May Security(etc.) patch according to one’s patching group (A or B), then one does not need to turn off the Remote Desktop Service?

        Yes. You are safe.

        3 users thanked author for this post.
      • #1888408 Reply

        anonymous

        I hope that there is no BlueKeep like vulnerability  that’s been patched in the July 2019 “security only” update that has the telemetry because that’s not being installed on my laptops. And as far as that goes any Microsoft windows 7 “security only” patches that are not actually Security Only in fact are not getting installed.

        I’ll just have to consider that the Windows 7 extended support period has expired a little early and that’s Microsoft’s fault. So let’s hope that August 2019’s Security Only patches are not of that “Security Only” variety.

        I will be running windows 7 after Jan 2020 and I’ll just make sure that any personal data in no longer on the laptops after Jan 2020.  I’m not playing that cat and mouse game with Redmond’s snooping.

         

        • #1888815 Reply

          anonymous

          From above, “I will be running windows 7 after Jan 2020 and I’ll just make sure that any personal data in no longer on the laptops after Jan 2020.”

          Maybe we use the term ‘personal data’ differently. When I use it, I am referring to all data created by me personally (the first party) while using the system (my Win7 leased copy from Microsoft, the second party). Not just my personal vital statistics and embarrassing party photos.

          From my mindset, I do not see the purpose of running a system with no personal data involved. It would just be an idling lump pushing electrons through the second party’s software (the OS, Win7) for no goal, converting electrical current to light and heat.

          I will be using a supported system to perform all computation and presentation of my personal data. No gamesmanship required. Just good commerce as agreed to by both parties.

          • #1889641 Reply

            anonymous

            Personal data removed and any windows 7 laptops just used for browsing and some other Laptop running Linux/Mac OS/Other non MS OS that’s patched and secured for any secure related usage.

            So the Windows 7 laptops are only used for browsing with no logging in etc. And with those Windows 7 laptops scrubbed clean of any personal files and data that can be used for nefarious reasons.

            The folks in Redmond are in for some security issues if they can not keep the spyware out of any further Windows 7 Security Only Updates up until Jan 2020 and July’s Windows 7 “Security Only” KB is not getting installed unless the telemetry is removed, BlueKeep or whatever. Security Only  means SECURITY ONLY, Microsoft!

    • #1896542 Reply

      deanwmn
      AskWoody Plus

      Seems I’ve already been locked out of MS updates?  I can download them – but they won’t run! I’m no longer able to install and run them. They just sit there in my download file defying any and all attempts to actually do anything useful. I first ran Windows Installed Updates and it “searched for installed updates” for over a half hour until I finally finished cleaning the bathroom and got tired of waiting for it. I stopped it, went to MS and tried downloading the files individually. I could download them – but they wouldn’t run! I ran Malwarebytes, Windows Defender along with Wise Care 365. I can no longer run Windows Updates. I assume, of course, they would let me update to Win 10 – which is not going to happen! I

      • #1896547 Reply

        PKCano
        Da Boss

        Try again in a while. There have been reports of an outage with Windows Update.

        1 user thanked author for this post.
      • #1896662 Reply

        Paul T
        AskWoody MVP

        What do you mean you can’t run them? Do you get an error message?

        cheers, Paul

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: BlueKeep exploitation expected soon

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.